pupy/README.md

115 lines
6.4 KiB
Markdown
Raw Normal View History

2015-09-21 20:24:27 +00:00
# Pupy
2016-05-07 20:35:47 +00:00
Pupy is an opensource, multi-platform (Windows, Linux, OSX, Android), multi function RAT (Remote Administration Tool) mainly written in python. It features a all-in-memory execution guideline and leaves very low footprint. Pupy can communicate using various transports, migrate into processes (reflective injection), load remote python code, python packages and python C-extensions from memory.
Pupy modules can transparently access remote python objects using rpyc to perform various interactive tasks.
Pupy can generate payloads in multiple formats like PE executables, reflective DLLs, pure python files, apk, ...
When you package a payload, you can choose to embbed python scriptlets to perform various tasks offline (without requiring a session), like adding persistence, starting a keylogger, detecting a sandbox, ...
2015-09-21 20:15:05 +00:00
## Features
2015-09-21 20:15:05 +00:00
- On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
- Pupy can reflectively migrate into other processes
- Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented)
2016-05-03 15:39:04 +00:00
- Pupy is easily extensible, modules are quite simple to write, sorted by os and category.
- A lot of awesome modules are already implemented!
- Pupy uses [rpyc](https://github.com/tomerfiliba/rpyc) and a module can directly access python objects on the remote client
- We can also access remote objects interactively from the pupy shell and you even get auto-completion of remote attributes!
2015-10-30 22:34:08 +00:00
- Communication transports are modular and pupy can communicate using obfsproxy [pluggable transports](https://www.torproject.org/docs/pluggable-transports.html.en)
- All the non interactive modules can be dispatched to multiple hosts in one command
2016-05-03 15:39:04 +00:00
- Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu, osx, android)
2015-10-30 22:34:08 +00:00
- Commands and scripts running on remote hosts are interruptible
- Auto-completion for commands and arguments
- Nice colored output :-)
2016-05-03 15:39:04 +00:00
- Custom config can be defined: command aliases, modules automatically run at connection, ...
2016-01-19 19:14:39 +00:00
- Interactive python shells with auto-completion on the all in memory remote python interpreter can be opened
- Interactive shells (cmd.exe, /bin/bash, ...) can be opened remotely. Remote shells on Unix clients have a real tty with all keyboard signals working fine just like a ssh shell
- Pupy can execute PE exe remotely and from memory (cf. ex with mimikatz)
2016-05-03 15:39:04 +00:00
- Pupy can generate payloads in multiple formats : exe (x86, x64), dll(x86, x64), python, python one-liner, apk, ...
- "scriptlets" can be embeded in generated payloads to perform some tasks without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm ...)
2016-01-19 19:14:39 +00:00
- tons of other features, check out the implemented modules
2015-10-30 22:20:37 +00:00
## Implemented Transports
2015-10-30 22:20:37 +00:00
- tcp_cleartext
- A good example to look at, it's a protocol that does nothing
- tcp_base64
- Another simple example
2015-10-30 22:20:37 +00:00
- tcp_ssl (the default one)
- obfs3
- [A protocol to keep a third party from telling what protocol is in use based on message contents](https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/doc/obfs3/obfs3-protocol-spec.txt)
- scramblesuit
- [A Polymorphic Network Protocol to Circumvent Censorship](http://www.cs.kau.se/philwint/scramblesuit/)
2015-09-21 20:15:05 +00:00
2016-05-03 15:39:04 +00:00
## Implemented Launchers (not up to date, cf. ./pupygen.py -h)
Launchers allow pupy to run custom actions before starting the reverse connection
- simple
- Just connect back
- auto_proxy
2016-06-01 15:27:11 +00:00
- Retrieve a list of possible SOCKS/HTTP proxies and try each one of them. Proxy retrieval methods are: registry, WPAD requests, gnome settings, HTTP_PROXY env variable
2016-05-03 15:39:04 +00:00
## Implemented Modules (not up to date)
### All platforms:
- interactive python shell with auto-completion
- interactive shell (cmd.exe, powershell.exe, /bin/sh, /bin/bash, ...)
2015-10-30 22:05:36 +00:00
- tty allocation is well supported on target running a unix system. Just looks like a ssh shell
2016-05-03 15:39:04 +00:00
- command execution
2015-10-30 22:05:36 +00:00
- download
- upload
2015-10-08 17:36:37 +00:00
- persistence
2015-09-21 20:15:05 +00:00
- socks5 proxy
2016-01-19 19:14:39 +00:00
- local and remote port forwarding
2015-09-22 20:18:56 +00:00
- shellcode exec (thanks to @byt3bl33d3r)
2016-05-03 15:39:04 +00:00
### Windows specific :
- migrate
- inter process architecture injection also works (x86->x64 and x64->x86)
- in memory execution of PE exe both x86 and x64!
- works very well with [mimitakz](https://github.com/gentilkiwi/mimikatz) :-)
- screenshot
- webcam snapshot
2016-05-07 20:35:47 +00:00
- microphone recorder
2015-10-30 22:05:36 +00:00
- keylogger
- monitor keys and the titles of the windows the text is typed into, plus the clipboard! (thanks @golind for the updates)
2015-10-30 22:05:36 +00:00
- mouselogger:
- takes small screenshots around the mouse at each click and send them back to the server (thanks @golind)
2016-05-03 23:26:53 +00:00
- token manipulation
- getsystem
2015-09-21 20:15:05 +00:00
2016-05-03 15:39:04 +00:00
### Android specific
2016-06-01 15:27:11 +00:00
- Text to speech for Android to say stuff out loud
2016-05-03 15:39:04 +00:00
- webcam snapshot (front cam & back cam)
2016-01-19 19:14:39 +00:00
##Installation
2016-01-24 12:57:46 +00:00
[Refer to the wiki](https://github.com/n1nj4sec/pupy/wiki/Installation)
2016-01-19 19:14:39 +00:00
##Documentation
2016-01-24 12:57:46 +00:00
[Refer to the wiki](https://github.com/n1nj4sec/pupy/wiki)
2015-09-21 20:50:01 +00:00
2016-05-03 15:39:04 +00:00
### Some screenshots (not up to date)
[Screenshot section on the wiki](https://github.com/n1nj4sec/pupy/wiki)
2015-09-21 20:50:01 +00:00
2016-01-19 19:18:27 +00:00
## FAQ
> Does the server work on windows?
Pupy server works best on linux. The server on windows has not been really tested and there is probably a lot of bugs. I try my best to code in a portable way but I don't always find the time to fix everything. If you find the courage to patch non-portable code, I will gladly accept pull requests! :)
> I can't install it, how does it work?
Have a look at the Installation section in the wiki
2016-05-03 15:39:04 +00:00
> Hey, I love pupy and I was wondering if I could offer you a beer !
2016-01-19 19:18:27 +00:00
2016-05-03 15:39:04 +00:00
Sure ! thank you !
Via pledgie :<a href='https://pledgie.com/campaigns/31614'><img alt='Click here to lend your support to: opensource security projects https://github.com/n1nj4sec and make a donation at pledgie.com !' src='https://pledgie.com/campaigns/31614.png?skin_name=chrome' border='0' ></a>
Via BTC: 12BKKN81RodiG9vxJn34Me9ky19ArqNQxC
2016-01-19 19:18:27 +00:00
> hey c4n y0u add a DDOS module plzz?
No.
## Contact
by mail: contact@n1nj4.eu
on Twitter: [Follow me on twitter](https://twitter.com/n1nj4sec)
2016-05-03 23:31:47 +00:00
If some of you want to participate to pupy development, don't hesitate ! All help is greatly appreciated and I will review every pull request.
2016-05-03 15:39:04 +00:00
This project is a [personal development](https://en.wikipedia.org/wiki/Personal_development), please respect its philosophy and don't use it for evil purposes!
2016-01-19 19:18:27 +00:00